DASTProxy: Don’t let your automated security testing program stall on crawl. Instead focus on business context.

Presented at AppSec USA 2017, Sept. 21, 2017, 3:30 p.m. (45 minutes).

Many automated security programs look at crawling through a website before testing as a measure to build security automation. However, such an approach has limited success when you are dealing with huge applications that have numerous teams working on modular components or subsections. At eBay, it was instantly clear that such an approach was doomed to fail. Instead the Secure Development Life Cycle Team leveraged the knowledge and business context that our product development teams had built into functional testing, to enhance our dynamic security testing automation. This let us further our goal to make security a responsibility of every product development team at eBay. This talk is about our journey and the open sourced automation framework (https://github.com/eBay/DASTProxy) that we built to make our dreams and goals a reality.


Presenters:

  • Kiran Sharadkumar Shirali - Senior Security Engineer, Red Team - eBay
    Kiran Shirali is a Senior Security Engineer in eBay's Red Team. During the day, he is scouring eBay's networks and applications for flaws that could lead hackers get access to critical assets. He is also involved in various other initiatives that help on the defensive side of security and is a supporter of automation and baking security into all processes and development activities within eBay. When he is not at work he loves to spend his time on security research and participates in numerous bug bounties.
  • Srinivasa Rao Chirathanagandla - Senior Software Engineer - eBay
    Srinivasa Rao is an Information Security Engineer in AppSec at eBay, responsible for developing applications and tools for Secure Product Life Cycle (SPLC) and SecDevOps. He is a full-stack developer who enjoys coding using java, grails/groovy, angularJS and interacting with relational databases. He is a Computer Science Engineer with experience in Finance, IT, SCM and Identity Management domains.

Links:

Similar Presentations: